Why a strong password doesn't help as much as a unique one

You may snigger when you hear that a few months after the euphemistically named AdultFriendFinder was hacked, now Ashley Madison has had its turn. The site, which enthusiastically advertises its ability to connect people to have affairs, had its accounts compromised, according to security reporter Brian Krebs and confirmed by the company.

You may snigger when you hear that a few months after the euphemistically named AdultFriendFinder was hacked, now Ashley Madison has had its turn. The site, which enthusiastically advertises its ability to connect people to have affairs, had its accounts compromised, according to security reporter Brian Krebs and confirmed by the company.

This site breach is the latest in a seemingly endless series of attacks against sites that have millions or tens of millions of user accounts, and in which that account information gets distributed widely. Crackers and white-hat hackers immediately start looking at the data, both to attack accounts and to warn users.

The conclusion that I draw from these breaches, and especially the recent LastPass account information compromise, is that we may be focusing too much on a strong password and not enough on unique passwords.

Now, I've been banging the drum of unique passwords for years, and regular readers may be tired of hearing me rant about it again. But because people still use the same password in many locations, and often one that's not strong to boot, it's worth explaining the rationale.

Strength through numbers

A strong password is one that can't be guessed from details about you: it's not a person's name in your family, the name of a pet, a past or current address in some form, or the like. It should also be highly resistant to brute force. You've probably seen in analyses of cracked sites that many people's passwords are "123456" or "password."

I spoke to a password and security researcher several months ago who noted that most of the sites that have detailed password requirements don't really improve the strength of a password, even when the red bar that shows a bad password switches to green--including Apple's own password-strength indicator. That's because those features only analyze whether or not you've got enough differentiation (or "entropy") in character choice--mixed case, numbers, and punctuation for instance. This increases the number of brute-force combinations that have to be tried, and thus are scored highly on the red-to-green quality bar.

But "Password1!" is very easy for a cracker to crack because they now walk down selective paths that are based on information derived from previous large-scale cracks. Their tools know that people will add the least amount of complexity and the simplest choice needed. Thus, they type "Password" (upper and lower case) plus the first number on the keyboard, plus the key-cap of that number. Green? Yes, if you look at the quality bar. But it's very red in actual fact.

As I've written about before, a set of a few words uncommonly found together and sufficiently long, like "Christmas penguin haircut" is many, many, many orders of magnitude harder to crack than "[email protected]!!" or even "JWT74PV5JVaj". That's because even if the crackers know three words are involved, the number of iterations to find them is still enormously high if the combination isn't found in typical online texts--like webpages or books--in that language. (Don't pick "Call me Ishmael.")

A strong password resists cracking at sites that have taken at least basic measures to obscure them. But unique passwords let you ensure that one breach doesn't expose you everywhere.

Like a snowflake

A weak password protected strongly is as powerful as a strong password. A strong password that's revealed by an engineering or design fault is as weak as one chosen badly.

When you pick a strong password and use it in multiple places, you're relying that each site or service with which it's paired has a well-designed process to prevent interception on its side or in transit. And that it's chosen the right methods to take your password and store it as an encrypted output, known as a hash.

If you use the same strong password everywhere, any single breach in which it's revealed that a company didn't protect password entry or storage well exposes you at every other site. The way around this is to create strong, unique passwords you don't need to memorize with software like 1Password, LastPass, or several other password-management apps. One exposure therefore exposes, at worst, access to one site.

There are some staggeringly positive examples of sites mitigating password theft. LastPass had an account information breach, but assuming that their description and implementation of how they stored passwords is correct, there is nearly zero chance that passwords from its users will be recovered in bulk. A targeted individual, combined with the password hints that LastPass stored, might be cracked before they can change her or his password, but brute force against all passwords will fail.

I just worked with one outfit for which I do some programming to migrate from an older to newer encrypted-storage methodology, prompted by an update to one module they're using that allows for better methods. The old storage was fine, and the site has no personal or payment information. But if registered site visitors use the same password elsewhere, then we face the problem described above in the event of a breach. The upgrade makes it impossible for a cracker who uses brute force on one stored password to use the same results to match identical plain-text passwords in other accounts. (The system uses salting, a random value added to a password, on top of hashing. The salt prevents two identical passwords from producing the same stored result.)

I know it sounds awful and dangerous to have unique passwords that you aren't memorizing. But it's more dangerous to have one strong one. I use 1Password, and I store my database of password in Dropbox. 1Password always leaves the database encrypted, and decrypts in its client software using the same technique employed by LastPass in its clients and on its server that create so much "work" (computational burden) that someone acquiring my password cache would take years or decades of dedicated work to crack.

The only strong password I need to memorize is the one that secures my 1Password data, and which is never typed in at any online site or used elsewhere. While it sounds counter-intuitive, cracking passwords simply relies on the weakest link in a chain. A strong chain link doesn't prevent a weak one from snapping.